Cisco urges immediate software upgrade after state-sponsored attack

Cisco has urged its customers to upgrade their software after disclosing that state-sponsored hackers have compromised some of its security devices.

In a blog post, the company said hackers exploited previously undetected vulnerabilities in its Adaptive Security Appliances, a product that combines multiple cybersecurity functions.

The threat actor, termed UAT4356, deployed two backdoors, which were used to conduct malicious actions, including configuration modification, reconnaissance, network traffic capture/exfiltration, and potentially lateral movement.  

“This actor utilized bespoke tooling that demonstrated a clear focus on espionage and an in-depth knowledge of the devices that they targeted, hallmarks of a sophisticated state-sponsored actor,” the company said in the post.

Cisco has not identified the initial attack vector but said that network telemetry and intelligence from partners suggest the hacker is targeting — or potentially attacking — network devices from Microsoft and other vendors.

The Cybersecurity and Infrastructure Security Agency (CISA) has also recommended that users and administrators apply the necessary updates, search for any malicious activity, and report positive findings to the agency.

Thinking beyond updates

Cisco emphasized that perimeter network devices serve as ideal entry points for espionage-focused campaigns and must be routinely and promptly patched.

“In the past two years, we have seen a dramatic and sustained increase in the targeting of these devices in areas such as telecommunications providers and energy sector organizations — critical infrastructure entities that are likely strategic targets of interest for many foreign governments,” Cisco said in the post. 

CIOs and CISOs should focus beyond routine software updates and adopt a holistic approach, said Thomas George, president of market research firm CMR.

“This should include regular security audits to identify and address vulnerabilities—such as unpatched systems or outdated protocols,” George said. “Additionally, robust employee training programs are crucial to raising awareness about phishing, social engineering, and other cyber threats. The widespread implementation of multi-factor authentication, not just for external access but also for internal systems, significantly enhances security.”

George also suggested integrating advanced threat detection technologies like AI-driven anomaly detection and establishing a well-structured incident response plan that includes simulated cyberattack drills, which can dramatically improve an organization’s ability to detect, respond to, and mitigate cyber incidents swiftly.

Combined effort essential

In the post, Cisco explained how it identified the issue. Early in 2024, a customer reached out to its Product Security Incident Response Team (PSIRT) and Cisco Talos, its threat intelligence team, raising security concerns about their Adaptive Security Appliances.

PSIRT and Talos collaborated to initiate an investigation to help the customer, which lasted several months and involved various external intelligence partners.

Pareekh Jain, CEO of Pareekh Consulting, stressed that the inherent nature of state-sponsored threats necessitates a collaborative response. He also pointed out the need for more proactive measures.

“First, similar to a bug bounty program in consumer tech, we need more penetration testing and incentives for ethical hackers to identify vulnerabilities,” Jain said. “Secondly, there’s a need for improved threat intelligence. This should involve central agencies like the CIA and NSA.”

“A third point concerns collaboration,” Jain added. “In network security, you’re only as secure as your weakest link. So, even if your products are secure but your network isn’t, then you’re at risk.”